A demo for how to write, test and distribute your own custom rules for the Snyk IaC product.
For more details and examples see the documentation
This repository currently has two example Kubernetes rules which
- BEN-K8S-1 checks that container images are being pulled from an approved registry
- BEN-K8S-2 checks that the container image is referencing a specific tag, not
latest
This repository demonstrates a pull-request based workflow, with commit status checks enabled so that the development workflow needs to pass before the PR can be merged.
Upon merging the Pull Request the release process is kicked off
- Create a fork of this repository
- Setup some GitHub secrets
SNYK_TOKEN
this should be your API token - either personal or service tokenOCI_REGISTRY_USERNAME
this is the username for your OCI registry, e.g. DockerHub usernameOCI_REGISTRY_PASSWORD
this is your password, if you're using DockerHub this should ideally be a token not your personal password
Local Development
- Ensure you are up to date with
git pull
- Create a new branch locally, this should be named
feat/<name>
e.g.feat/ben-k8s-3
- Make your change - e.g. adding a new rule
- Add your integration tests into the
/integration/spec/snyk_spec.sh
- Add your integration tests into the
- Run your unit tests with
snyk-iac-rules test
- Build your rules with
snyk-iac-rules build
- Finally if this all passes, run
make int
to run your integration tests- You'll need to target a Snyk org which has Custom Rules disabled so that you can pass in a local bundle. You do this with
snyk config set org=orgname
- You'll need to target a Snyk org which has Custom Rules disabled so that you can pass in a local bundle. You do this with
- If the tests pass go ahead and commit your changes and push
Open a Pull Request
- In GitHub open a new pull request
- This will kick off a GitHub action which
- Runs the unit tests, build & integration tests
- If these all pass then the PR can be merged
When the PR has passed all of the checks:
- Merge the Pull Requests into
main
- This will kick off the release process
- Runs the unit tests & build
- Increments the patch on the version
- Tags the commit and creates a release
- Uploads the
bundle.tar.gz
file to the release - Pushes the artefact to your configured
- Configures your Snyk Group with the Bundle location & specific tag to be used